The typical approach is to use realpath(). That would expand out any relative portions of the path, which you could then compare directly with the expected path and know for sure it's in a subdirectory of your intended photo directory.
If you go that way, though, you'll also want to stop using the literal '/' and use the DIRECTORY_SEPARATOR constant so that your script runs on windows. realpath(), aside from expanding relative paths, would convert / to \ on a windows platform.
I'm not a coder by any stretch of imagination, but I've managed to cobble together this simple PHP app for hosting my photos. Constructive feedback will be greatly appreciated.
A suggestion -- you mention "Automatic thumbnail generation" in the feature list but the thumbnails in the demo have massive file sizes (~80-100KB each at 800px width).
Thumbnails should generally be <20KB and <320px width. You could re-use the `createTim()` function you have to generate an additional, proper thumbnail instead of the 800px preview image squashed down via HTML as you do now.
I would also suggest to add some validation to your file upload. Currently you are allowing arbitrary files to be uploaded. Even though it is password protected, it is still trivial to brute force even with your sleep(3). The danger with allowing arbitrary file upload is someone can upload a script (PHP file for example) and run it basically allowing arbitrary code execution. This can lead to a whole slew of other issues.
To get started, I would suggest:
1. Generating your own file names w/extension instead of relying on $_FILES['filetoupload']['name']
2. After move_uploaded_file(), change file permissions to 644 to help mitigate possibility of file execution
3. Use getimagesize() to determine if file is indeed an image. It is still possible to embed code into a validate image to bypass getimagesize(), but #1 will help prevent Apache/etc from interpreting the file as PHP.
4. Ideally you would also strip metadata from the image file and only keep resized images and delete the originals.
Also would suggest that you do not use the same password on your demo site as you have posted on Github.
looks pretty cool! have you thought about integrating the php app into other projects?
I know for example that ownCloud has great problems to efficiently display images and something like what you created looks a lot better than what they have so far. Keep it up :)!
What, JS, PHP, and HTML all in the same procedural script? I get that the idea is that it's single-file, but it doesn't make for pretty (or terribly maintainable) code.
It's a neat little script, but I see at least one severe exploit in there ($filename - leave the rest to you).
This script is probably step number 5 in the 'how do I start out on this web-programming lark?' journey.
There is absolutely nothing wrong with being proud of it, regardless of the language or inevitable vulnerabilities that come from being inexperienced with web development.
It's a very small leap to go from this, to understanding separation of concerns.
Readit News
A shortened test case using the same code as the app to try and thwart traversal:
That would allow you to upload a file one directory above the intended $photo_dir.If you go that way, though, you'll also want to stop using the literal '/' and use the DIRECTORY_SEPARATOR constant so that your script runs on windows. realpath(), aside from expanding relative paths, would convert / to \ on a windows platform.
A suggestion -- you mention "Automatic thumbnail generation" in the feature list but the thumbnails in the demo have massive file sizes (~80-100KB each at 800px width).
Thumbnails should generally be <20KB and <320px width. You could re-use the `createTim()` function you have to generate an additional, proper thumbnail instead of the 800px preview image squashed down via HTML as you do now.
To get started, I would suggest:
1. Generating your own file names w/extension instead of relying on $_FILES['filetoupload']['name']
2. After move_uploaded_file(), change file permissions to 644 to help mitigate possibility of file execution
3. Use getimagesize() to determine if file is indeed an image. It is still possible to embed code into a validate image to bypass getimagesize(), but #1 will help prevent Apache/etc from interpreting the file as PHP.
4. Ideally you would also strip metadata from the image file and only keep resized images and delete the originals.
Also would suggest that you do not use the same password on your demo site as you have posted on Github.
I know for example that ownCloud has great problems to efficiently display images and something like what you created looks a lot better than what they have so far. Keep it up :)!
It's a neat little script, but I see at least one severe exploit in there ($filename - leave the rest to you).
Esp. after he clearly told that he would really like constructive feedback and stated, that he has no real coding experience.
Why would you play elite and kick someone lower in the ranks his way? It only shows your true colors. And imho they are not really nice in any way.
There is absolutely nothing wrong with being proud of it, regardless of the language or inevitable vulnerabilities that come from being inexperienced with web development.
It's a very small leap to go from this, to understanding separation of concerns.
Go easy on newcomers. We're not that elite.